On Thu, May 21, 2015 at 11:10 PM, David Lang <[email protected]> wrote:
> is foreach the only way to access the elements of an array?
Subscripting arr[0], arr[1] etc can be used to access elements of an
array, but its not useful in this context.
>
> If you do something like
> foreach ($.class in $!extracted!event.tags) do {
> if $.class == 'trash' then stop
> }
> /var/log/messages
>
> will messages that have trash as one element in the array still end up being
> written out to /var/log/messages?
No, they won't. Wrote a quick test to validate:
https://github.com/rsyslog/rsyslog/pull/356
>
> Is there a better way to check for an element in an array than the
> following?
>
> set $.found = 'no';
> foreach ($.test in $!something) do {
> if $.test = 'value' then set $.found = 'yes';
> }
> if $.found == 'yes' then {
> something
> }
I guess we should support json-path(similar to xpath but for json)
based lookup, and predicates?
$.bazes = get("/foo/bar[?]/baz", $!something)
if (contains($.bazes, "do_something")) then {
something
}
Given $! = {"foo" : {"bar": [{"baz" : "abc"}, {"baz":
"do_something"}]}} it'll execute something.
But given $! = {"foo" : {"bar": [{"baz" : "abc"}, {"baz":
"do_nothing"}]}} it'll not.
This is clearly a 2 step thing, but im proposing this as opposed to
single-step predicate for composability reasons.
$.bazes in this case can be useful outside the context of
conditional-actions. $.bazes in first case be a json array of the
form: ["abc", "do_something"]
>
> David Lang
>
> On Thu, 21 May 2015, singh.janmejay wrote:
>
>> Date: Thu, 21 May 2015 21:13:15 +0530
>> From: singh.janmejay <[email protected]>
>> Reply-To: rsyslog-users <[email protected]>
>> To: rsyslog-users <[email protected]>
>> Subject: Re: [rsyslog] Unable to use foreach
>>
>>
>> I think $!mse.element_indices is a string, right?
>>
>> If its a string, you'll need to parse it to make it an array before
>> you can loop on it. Foreach works only with arrays. It can be array or
>> anything (string, object, numbers whatever), but it has to be an
>> array.
>>
>> You can use tokenized field-type to parse it and since you are already
>> using mmjsonparse it shouldn't be a problem.
>>
>> On Thu, May 21, 2015 at 8:47 PM, David Boles (dboles) <[email protected]>
>> wrote:
>>>
>>> Hi,
>>>
>>> I am using rsyslog (v8.9) to process structured log data from umberlog
>>> and Linux's printk_emit. In the log message is a field
>>> "$!mse.element_indices" that can have values such as "0", "0 1", "0 1 2",
>>> and so on. I would like to iterate over the delimited elements of that value
>>> and had supposed that foreach would do something like that.
>>>
>>> With the config below I comment/uncomment the foreach loop. When the
>>> foreach loop is commented out rsyslog creates entries in both mongodb and
>>> the file. When the foreach loop is uncommented, rsyslog produces nothing in
>>> either destination.
>>>
>>> Why does this use of foreach fail? What should I be doing to iterate?
>>>
>>> Thanks,
>>>
>>> David Boles
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> module(load="imuxsock")
>>> module(load="imkmsg")
>>> module(load="imtcp")
>>> input(type="imtcp" port="10514")
>>> module(load="mmjsonparse")
>>> module(load="ommongodb")
>>>
>>> kern.* /var/log/db_kernel.log
>>> *.* /var/log/db_full.log
>>>
>>> template(name="mse-structured-info" type="subtree" subtree="$!")
>>>
>>> template(name="mse-all-info" type="list") {
>>> property(name="jsonmesg" outname="msg")
>>> }
>>>
>>> if ($fromhost-ip == '127.0.0.1' and $syslogfacility-text != 'kern') then
>>> {
>>> action(type="mmjsonparse")
>>> if $parsesuccess == "OK" then {
>>> set $!foo = $!mse.element_indices;
>>>
>>> set $!amph = "toad";
>>> # foreach ($.index in $!mse.element_indices) do {
>>> # set $!amph = "turtle";
>>> # }
>>> action(type="ommongodb" server="somemachine.somewhere.org"
>>> db="logs" collection="syslog"
>>> template="mse-structured-info")
>>>
>>> action(type="omfile" template="mse-all-info"
>>> file="/var/log/db_local_user_structured.log")
>>> }
>>> }
>>>
>>> $WorkDirectory /var/spool/rsyslog
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>
>>
>>
>>
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
--
Regards,
Janmejay
http://codehunk.wordpress.com
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
